Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

application_filter param missing from azuread_conditional_access_policy applications condition #1318

Open
dasguptavivek opened this issue Feb 26, 2024 · 0 comments · May be fixed by #1357
Open

application_filter param missing from azuread_conditional_access_policy applications condition #1318

dasguptavivek opened this issue Feb 26, 2024 · 0 comments · May be fixed by #1357

Comments

@dasguptavivek
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

Currently the Entra ID Conditional Access policy can be created via terraform using this resource azuread_conditional_access_policy (provider azuread) . Policies can be scoped to certain applications or user actions using these params

conditions->applications->
included_applications, excluded_applications, included_user_actions

However for organisations having hundreds or thousands of apps, this is not a viable way of grouping applications for a certain policy.

Instead, the Azure Portal and also MS Graph REST API (beta and v1.0) provides an option of application_filter to apply the policy to certain applications based on the filter condition.

This is documented here https://learn.microsoft.com/en-us/graph/api/resources/conditionalaccessapplications?view=graph-rest-beta#properties. (Note that this is beta documentation, but even v1.0 supports this) . See the applicationFilter param option.

It would be great to have terraform azuread provider also support this.

This allows organisations to apply specific policies to a group of Applications based on certain security attributes or any other attributes. (One example being - using the Custom Security Attributes within Entra ID)

New or Affected Resource(s)

  • azuread_conditional_access_policy

Potential Terraform Configuration

As a result of this feature the conditions->applications will have a new "application_filter" option

resource "azuread_conditional_access_policy" "example" {
  display_name = "example-policy"
  state        = "enabled"

  conditions {
    client_app_types    = ["All"]

    applications {
      application_filter {
        rule = "CustomSecurityAttribute.AppSecAttributeSet_AppSecurityStatus -eq \"CriticalApp\""
      }
    }

    users {
      included_groups = ["All"]
    }
  }

  grant_controls {
    operator          = "OR"
    built_in_controls = ["mfa"]
  }

}

Thus in this case the policy will apply to all Entra ID Apps which have a Custom Security Attribute (AppSecurityStatus = CriticalApp ), within the AppSecAttributeSet (attribute set).

References

https://learn.microsoft.com/en-us/graph/api/resources/conditionalaccessapplications?view=graph-rest-beta#properties

https://learn.microsoft.com/en-us/graph/api/resources/conditionalaccessfilter?view=graph-rest-beta

https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/resources/conditional_access_policy#applications

  • #0000
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
1 participant
@dasguptavivek